← Back to Apple macOS 13 (Ventura) Security Technical Implementation Guide

V-257232

CAT II (Medium)

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

Rule ID

SV-257232r991589_rule

STIG

Apple macOS 13 (Ventura) Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-000366

Discussion

Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

Check Content

For Apple Silicon-based systems, this is not applicable.

Verify the macOS system is configured with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -check

Password Enabled:Yes

If "Password Enabled" is not set to "Yes", this is a finding.

Fix Text

Configure the macOS system with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.